Thursday, July 28, 2011

I am performing domain migration and I ran into the following problem error in the migration logs for a user account:

2011-07-29 13:37:35 WRN1:7665 Unable to create or merge object 'CN=Joe Blow,OU=My Users,DC=domain,DC=local' as another instance of ADMT is currently creating or merging the same object.

I had started migrating Joe Blow to the new forest using ADMT but then realised I hadn't started the Password Export Server on the source domain so I hit "Stop" to stop the migration. I then went and started Password Export Server and tried to migrate the account again. This is where I received the above error.

What happened was ADMT recorded in the ADMT migration SQL database that the account is currently locked as its undergoing migration.

Wednesday, July 27, 2011

When designing Active Directory sites and services, usually you decide which Active Directory site objects you want to place your domain controllers. Sites are usually mapped to physical locations but can also be logical depending on your design.

However, there is a registry key on domain controllers that allows a domain controller to be authoritative for more then one site object in Active Directory. This registry key is known as SiteCoverage.

I had a different problem to the ones mentioned on the above forum thread. One of my forests was setup with whats called a single labelled domain name. ADMT was having difficulties communicating with all domains within the single labelled forest.

To resolve this on the ADMT server I needed to add a DWORD registry key "AllowSingleLabelDnsDomain" with a decimal value of 1.

ADMT was then able to communicate with all domains in the forest which had a single labelled root domain.

Monday, July 18, 2011

Today I stumbled across a fantastic little application called Sync Toy. Perfect for home users who want to backup data to a external drive on a regular basis, between computers or to mapped drive pointing to a cloud provider such as Windows Live.

SyncToy 2.1 is a free application that synchronizes files and folders between locations. Typical uses include sharing files, such as photos, with other computers and creating backup copies of files and folders.

It is so easy to use, I think my mum could do it.

Here I have setup synchronization of My Documents to my Microsoft Windows Live SkyDrive cloud account to ensure my documents are backed up at all times. This is a free service. This also allows me to sync the files down to any new computer I work on.

Z:\ is mapped to windows live cloud account.

Please click to enlarge:

As of this writing the latest version of SyncToy is 2.1. The x86 and x64 version is available from here:

It turned out that the partitions "DomainDNSZones" and "ForestDNSZones" were a lost cause. To fix this you need to perform the following steps:

1. use NTDSUtil to remove the replicas for both ForestDNSZone and DomainDNSZone. Wait for replication. Verify the changes took place then delete each of the partitions.

2. After the deletion has processed to all domain controllers, go into DNS Management and change the Zone to Forest Level/Domain Level. Active Directory will automatically recreate the partition within Active Directory. These new AD application partitions will automatically replicate to all DNS servers. These will then be accessible through ADSI Edit.

It may take over 30 minutes to get to synchronise the DNS zone around - AD is very slow when it comes to DNS.

After this no errors are showing up in the DNS or Active Directory event logs, diagnostics come back clean.

Microsoft Identity Lifecycle Manager Service Pack 1 Feature Pack 1 (ILM 2007 SP1 FP1) can be used to pre-stage the user accounts with the appropriate attributes in a destination forest for cross-forest mailbox moves The out of the box GALSync MA cannot be used since it creates contact object instead of user object required for Online Mailbox Move. Microsoft has provided a sample code extension for the management agents to perform this which can be downloaded from:

The problem with this sample code is was only designed for migration between two forests. My customer wishes to pre-stage user accounts from 2 forests into a new forest meaning I have two source forests! In the OneWaySync.xml file by default we have:

I worked with a Microsoft FIM (Forefront Identity Manager) expert named Tracy Yu and together we made changes to the sample code and recompiled a new DLL to account for multiple source forests.

The file we needed to edit was Microsoft.Exchange.Sample.OneWayGALSync.MVRules.dll. The source code for this file is located under the solution folder under the sample ILM sample code package in a file named Microsoft.Exchange.Sample.OneWayGALSync.MVRules.cs. Here is our new code - in red are any changes made:

I was synchronizing over 5000 users to the new forest. Synchronization was failing with stopped-error-limit.

I found out that MIIS / ILM and FIM only allow up to 5000 objects by default. You can change this with a DWORD in the registry which you create under HKLM\SYSTEM\CurrentControlSet\miisserver\Parameters. This is documented by Microsoft on KB2387673